By now, you’ve surely heard about the hack of the Democratic National Committee that gathered thousands of email messages, the contents of which were exposed by WikiLeaks and ultimately caused Chairwoman Debbie Wasserman Schultz to resign. But did you also know that only last fall, the DNC commissioned a two-month security risk assessment that yielded dozens of recommendations to improve the security of its network? The real story is what happened next.
Apparently, nothing. Despite spending $60,000 and receiving recommendations to take “special precautions to protect any financial information related to donors and internal communications including e-mails,” the DNC did not take the next typical step of requesting a breach assessment to determine if their network had already been penetrated—an assessment that likely would have increased the chances of early detection and perhaps stopped the leak. We cannot know why the DNC failed to act, of course, but we can guess at some of the reasons.
“Important, but not urgent.” “No amount of security can protect us 100%, so why bother?” “No clear responsibility to act.” “Our passwords are good enough security.” “We haven’t been hacked yet, so why bother to pile on more security when we’re busy running our business?” Any of these excuses can apply equally to all of us. Whether it’s a sense of learned helplessness—“No one is 100% safe from hacking”—or a weird sense of safety in numbers—“Why hack me when there are millions of others?”—most of us put cyber security in the category of important, but not urgent. That needs to change.
Unfortunately, even companies that have made some effort to increase security awareness are swimming upstream because, “[a]lthough some program[s] are well crafted, the effectiveness of many is low, the value is doubtful, and they are a waste of time and money, especially if they simply repeat policies followed by a multiple-choice test.” People struggle to comply with security guidance that is cumbersome and can’t be followed, and reasonably put productivity first over compliance. So, how do we get people to follow security advice?
Keep it Simple, Make it Personal
- Forget unique passwords for every site. Sounds like cyber security heresy, but a recent Microsoft research report suggests that instead of requiring highly complex and unique passwords for every site, log-ins should be grouped according to risk and importance. For example, a password for corporate administrative access or your bank account should be complex and unique, while a common password might be used for association memberships. Don’t assume, however, that social media sites are not important. They are often the mother lode of phishing fodder. [Note, work and personal passwords should always be different.]
- Short and frequent beats long and rare. Annual training may be good enough for operational purposes, but it’s not enough for security awareness. It’s much more effective to provide 30 second messages routinely than to require attendance at an annual training event, particularly if there is no good way to eliminate the distractions of mobile devices. Attention to security must become part of the fabric of the organization, and regularity of messaging helps with this.
- Give people simple things they can do every day. Gradually introduce security tools and tips so that people have time to acclimate and internalize the advice (think The 12 Days of Christmas). Each week or each month, provide a new tool or tip, and reinforce the ones given previously. For example, start with encouraging use of the easy command, Windows key + L to lock a Windows computer when leaving it unattended. No one can use the computer without a password, but it won’t log out the current user or close any open programs.
- Consider your company’s realistic risk profile and prioritize security requests accordingly. People selectively choose which advice to follow and not to follow, and their choices aren’t always correct. Rather than overwhelm them with rules for events that are not likely to happen in your organization, focus instead on those that are highly likely, such as phishing. “The most effective education program[s] tend to be those based on people’s actual security challenges and customised according to their roles and geographical location.” Make examples relatable, like fictional vignettes that illustrate negative events. Stories about individuals and how they contributed to or were directly affected by a security incident can be more compelling than stories about mega-breaches of companies.
- Speak with authority. Another finding in the University of Maryland study is that participants “evaluate digital-security advice based primarily on the trustworthiness of the advice source.” Messaging regarding security should emanate from your organization’s IT security function, if not the training itself.
- Last, but not least: Information Governance. This post would not be complete without stating the obvious—hackers can’t hack what isn’t there. There’s a long list of organizations that wish they had gotten rid of old information sooner, or had not created it in the first place, among them Sony, the “poster child” hack that confirmed what not to do. Careful communications, good information hygiene, and generally treating information as a valuable business asset can go a long way toward limiting the fallout should a breach occur.